ClawHub
Back to skill

Security audit

江苏盐城盐南、经开17个网站招标信息

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it advertises, but it needs review because it can run unattended, read Feishu credentials, and send collected reports externally with weak safety boundaries.

Review before installing. Use a dedicated least-privilege Feishu bot, verify the exact chat/user IDs, disable unattended cron delivery until tested, avoid proxy or anti-bot bypass behavior without authorization, and store Feishu secrets in a protected secret store rather than shell startup files or committed .env files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill invokes shell commands, reads and writes local files, accesses the network, and appears to rely on environment/config data, yet it declares no permissions or user-visible capability boundaries. This creates a transparency and authorization gap: an agent could execute data collection and outbound messaging with broader access than the user expects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is limited to regional bidding collection and reporting, but the behavior includes reading local Feishu credentials, sending messages/files to users or groups, webhook-based outbound messaging, and processing broader data sources. This mismatch is dangerous because users may authorize the skill under a narrower trust assumption while it performs credential access and external communications beyond that stated scope.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
This section adds nationwide/province-wide sources such as 中国政府采购网、江苏政府采购网、江苏省公共资源交易网, which materially expands the acquisition scope beyond the stated regional bidding assistant purpose. In an agent skill, this kind of undocumented scope creep can enable over-collection, compliance issues, and use of the skill for broader surveillance or scraping than users expect.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The document explicitly plans for using proxy IPs to bypass anti-scraping protections, which introduces capability beyond ordinary browsing and can facilitate unauthorized access patterns or evasion of site controls. In the context of an automated data-collection skill, this increases legal, policy, and abuse risk because the agent is being prepared to overcome deliberate access restrictions rather than operate within normal allowed access.

Description-Behavior Mismatch

High
Confidence
88% confidence
Finding
Several crawlers are marked REGIONAL_COMPANY=True, causing full ingestion from entire company or site feeds without verifying each record is actually within 盐南高新区 or 经开区. This creates scope overcollection and mislabeling risk, which can lead to unauthorized processing, incorrect downstream reporting, and unintended disclosure when pushed to files or Feishu.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The crawler force-labels all records from 开发区公共资源交易网 as 经开区 without validating the actual content. This can poison downstream datasets, cause false reporting, and expand collection beyond the intended scope if the source contains other regions or mixed content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises automated Feishu pushing and scheduled execution but does not provide a clear warning that collected data and generated reports will be transmitted to external recipients. Unattended outbound transmission increases the risk of unintended disclosure, misdelivery, or ongoing data sharing without the operator's active awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cron section defines unattended daily collection, report generation, and Feishu group delivery to a specific target without emphasizing the security and data-handling consequences of automatic execution. Scheduled jobs can continue exfiltrating or distributing content after configuration drift, recipient changes, or user misunderstanding.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide documents an /execute endpoint that can perform browser actions and run arbitrary JavaScript via the evaluate action, but it provides no security warnings, authentication guidance, or access restrictions. If this relay is exposed beyond a trusted local environment, an attacker could drive the browser, access authenticated web content, or execute scripts against visited pages, turning the service into a powerful browser automation proxy.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly relies on repeated screenshots of a live procurement website and agent-side analysis, but provides no safeguards for handling credentials, personal data, account information, or other sensitive content that may appear during login flows or page interaction. In this skill context, that is more dangerous because the process is designed for autonomous collection and screenshot review across dynamic pages, increasing the chance of capturing and retaining unintended sensitive data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The embedded JavaScript extracts titles, dates, and links from the target site and returns them as structured data, but the workflow contains no restrictions on what may be collected, stored, or redistributed. In a bidding-collection assistant, this materially increases risk because the skill is specifically intended to automate scraping, reporting, and downstream pushing to Feishu, so any overcollection or collection of restricted data can propagate quickly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The anti-crawling section provides operational evasion guidance—random User-Agent, proxies, and Playwright for blocked sites—without any warning or control framework around authorization, terms-of-service, or legal risk. That makes the skill more dangerous because it normalizes bypass behavior and could be directly reused to evade technical protections on third-party websites.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide recommends persisting Feishu App ID, App Secret, and chat ID in shell startup files and a plain .env file, which increases the chance of local disclosure, backup leakage, shell-history exposure, or accidental commits. This is not overtly malicious, but it does normalize unsafe secret handling for long-lived credentials used to access an external messaging platform.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The examples demonstrate uploading PDF reports and sending messages to Feishu without warning that report contents, filenames, and chat identifiers are transmitted to a third-party service. In a bidding-assistant context, the reports may contain commercially sensitive procurement information, so users should be informed about data egress and recipient scope.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
This code sends project data to an external Feishu notifier without any consent gate, destination validation, or minimization controls visible in this file. In an automation skill that aggregates potentially sensitive procurement information, automatic external transmission increases the risk of unintended data disclosure, especially if the notifier is misconfigured or used in the wrong context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.